SSL.com’s Friday Security Roundup – December 4, 2015

SSL_com_logo143 years ago today the merchant vessel Mary Celeste was discovered, mysteriously abandoned and adrift, off the Azores.
YouMary_Celeste can thank Arthur Conan Doyle and the Victorian popular press for giving rise to a cloud of fanciful theories to explain the mystery (including religious mania and drunken brawling, though we ourselves have always been partial to the giant squid attack thesis). The Mary Celeste also remain a widely-used metaphor for eerily abandoned locations, though we expect those who come after us will be more likely to compare any such to abandoned Second Life campuses.

The online wunderkammer Futility Closet has a great podcast on the Mary Celeste which is well worth a listen. So meditate on life’s mysteries (where did the crew go? Are SSL handshakes symmetric or asymmetric? And who still uses ColdFusion?) while we present some of the security issues that SSL.com’s been following for you this week.


DO AS WE SAY, NOT AS WE DO, PART ONE

Offered, by your friends at the Department of Homeland Security: Penetration testing services to US companies. As reported by security researcher Brian Krebs, the National Cybersecurity Assessment and Technical Services (NCATS) is a program wherein the same rigorous testing the DHS applies to its own infrastructure is applied to private sector entities deemed critical to national well-being (if you guessed this means “mostly banks and oil companies” you get a cookie).

Status: We’ll pass, thanks. Certainly NCATS  seems like a better use of your taxpayer dollars than some we can think of, but we’d feel more confident using it if the DHS’s own infrastructure wasn’t itself riddled with serious vulnerabilities. A recent review found problems ranging from weak passwords through woefully inaccurate security reporting  systems to well over a hundred systems (including many with secret and top secret classifications) with no designated administrator – i.e., no one in charge of updating software, applying security patches or performing the myriad tasks necessary to keep black hats at bay. We (very sadly) are pretty sure we’ll be hearing more on this front before too terribly long.

DO AS WE SAY, NOT AS WE DO, PART TWO

Meanwhile , in Menlo Park:  the DHS’ Silicon Valley Office (SVO) has scheduled a trade fair December 10th to connect security startups with agency funding. Securing the surging tsunami of wildly hackable stuff now flooding the market (from thermostats to automobiles) is the main agenda of the DHS’ Cyber Physical Systems Security program (or CPSSEC, which we recognize as YABA).

Status: Short answer: file under “better late than never”. More generally we do give muted props to the DHS SVO for realizing the massive and burgeoning problem which is IoT security, and for trying to solicit knowledgeable help to combat it. (But as noted above, kind of a pity the DHS doesn’t practice coherent IoT and infrastructure security on it’s own devices. And didn’t get a subscription to Wired. In 2013.)

THE INTERNET OF INSECURE…TOYS?

Justified: Security concerns regarding Mattel’s connected “Hello Barbie” doll, as raised by puckish online IT magazine The Register way, way back in February.  The issues El Reg pointed out ten months ago are being found to be all too valid – the app controlling “Hello Barbie” itself (developed by Mattel partner ToyTalk) exhibits some classic IoT security errors (hardcoded passwords, insanely easy WiFi spoofing), while ToyTalk’s insecurely-configured servers are vulnerable to the POODLE attack , which was first noted in October 2014. (ToyTalk’s CEO downplays the findings as work of “an enthusiastic researcher“. We’re not sure why “enthusiasm” is supposed to be a knock against the researcher’s credibility.)

Meanwhile, reported, by online journal Motherboard – and arguably even worse: A hack of toymaker VTech, which exposed personal data of some five million customers. The information found includes not only the standard data breech fare – names, addresses, phone numbers and so forth – but also logs of chats between parents and children, headshots of kids and reportedly even audio files recorded onto VTech devices…and all uploaded to the company’s servers.

StatusAppalled.

Selling insecure networked devices is very bad practice.
Selling insecure devices intended for use by children is frankly inexcusable.
And saving terabytes of customer data, for whatever reason, is increasingly looking like a lethal (and legally actionable) tar pit for businesses which won’t properly secure it. Big-data security risks are bad enough for businesses like Ashley Madison and Sony but infinitely worse for child-oriented companies like VTech and Mattel.

The only upside to the VTech story is that the information is not (as far as we know) being used maliciously – heck, even the hacker in this case seems appalled at the scope of information retained by VTech. According to Motherboard reporter Lorenzo Franceschi-Bicchierai, the hacker stated: “Frankly, it makes me sick that I was able to get all this stuff…VTech should have the book thrown at them.”


As always, we appreciate your reading our Security Roundup, and hope you have a terrific weekend. And remember what we truly believe here at SSL.com – a safer internet is a better internet.

Image: Wikimedia Commons